Skip to content

Guide to the Secure Configuration of Debian 12

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Restrict unprivileged access to the kernel syslog

    Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To check the con...
    Rule Medium Severity
  • Disable mutable hooks

    Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is available at <code>/boot/config-*</code>. To ...
    Rule Medium Severity
  • Enable Yama support

    This enables support for LSM module Yama, which extends DAC support with additional system-wide security settings beyond regular Linux discretionary access controls. The module will limit the use o...
    Rule Medium Severity
  • Enable SLUB debugging support

    SLUB has extensive debug support features and this allows the allocator validation checking to be enabled. The configuration that was used to build kernel is available at <code>/boot/config-*</cod...
    Rule Medium Severity
  • Configure OpenSSH Server if Necessary

    If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file <code>/etc/ssh/sshd_config</code>. The following recommendations can be app...
    Group
  • SSH RekeyLimit - size

    Specify the size component of the rekey limit.
    Value
  • SSH RekeyLimit - size

    Specify the size component of the rekey limit.
    Value
  • SSH Compression Setting

    Specify the compression setting for SSH connections.
    Value
  • SSH Privilege Separation Setting

    Specify whether and how sshd separates privileges when handling incoming network connections.
    Value
  • SSH LoginGraceTime setting

    Configure parameters for how long the servers stays connected before the user has successfully logged in
    Value
  • SSH MaxStartups setting

    Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.
    Value
  • Set SSH Client Alive Count Max to zero

    The SSH server sends at most <code>ClientAliveCountMax</code> messages during a SSH session and waits for a response from the SSH client. The option <code>ClientAliveInterval</code> configures time...
    Rule Medium Severity
  • Enable TCP/IP syncookie support

    Normal TCP/IP networking is open to an attack known as SYN flooding. It is denial-of-service attack that prevents legitimate remote users from being able to connect to your computer during an ongoi...
    Rule Medium Severity
  • Unmap kernel when running in userspace (aka KAISER)

    Speculation attacks against some high-performance processors can be used to bypass MMU permission checks and leak kernel data to userspace. This can be defended against by unmapping the kernel when...
    Rule Medium Severity
  • Disable x86 vsyscall emulation

    Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also disable the helpful warning if a program tries to use a vsyscall. With this option set to N, offending pro...
    Rule Low Severity
  • Kernel GCC plugin configuration

    Contains rules that check the configuration of GCC plugins used by the compiler
    Group
  • Disable core dump backtraces

    The <code>ProcessSizeMax</code> option in <code>[Coredump]</code> section of <code>/etc/systemd/coredump.conf</code> specifies the maximum size in bytes of a core which will be processed. Core dump...
    Rule Medium Severity
  • Disable storing core dump

    The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
    Rule Medium Severity
  • Enable ExecShield

    ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and othe...
    Group
  • kernel.kptr_restrict

    Configure exposition of kernel pointer addresses
    Value

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules